LinkedIn and eHarmony encrypted, or "hashed," the passwords of
registered users, but neither salted the hashes with extra data
that would have made them much more difficult to decrypt.

Without salting, it's very easy to crack password hashes by
running through lists of common passwords and using dictionary
words.

Every security expert who takes his job seriously knows this, and
so does every hacker who wants to make money by
stealing account information, including the one who posted
the LinkedIn and eHarmony password lists in hacker forums seeking
help with cracking passwords.

LinkedIn learned the necessity of salting the hard way, as
director Vicente Silveira obliquely admitted in a blog posting late yesterday, which came
after hours of insistence that LinkedIn could not confirm the
data breach.

"We just recently put in place," Silveira wrote, "enhanced
security … which includes hashing and salting of our current
password databases."

That's nice. No mention of salting at all. Too bad, because by
the time Teraoka wrote that blog posting, 90 percent of the 1.5
million password hashes on the eHarmony password list had already
been cracked.

Plug in your own password. The site will generate the same
40-character hash that LinkedIn used.

Copy everything in the hash AFTER the first five characters —
I'll explain why — and search for the shorter 35-character string
in the LinkedIn password list.

Yours isn't there? Good — neither was mine.

But if you search for common passwords such as "password,"
"letmein" or "123456," they're all there.

In fact, those three are listed with "00000" at the beginning of
the hash, indicating that the hacker who uploaded the file had
already cracked them. To avoid duplication, he marked cracked
hashes by replacing the first five characters with a string of
zeroes.

So "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8," the hash for
"password," is listed as
"000001e4c9b93f3f0682250b6cf8331b7ee68fd8." The hash for
"123456," which is "7c4a8d09ca3762af61e59520943dc26494f8941b," is
instead listed as
"00000d09ca3762af61e59520943dc26494f8941b."

Why you should always salt your password hashes

It's very difficult to reverse a hash, such as by running
"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" through some sort of
formula to produce "password."

But no one needs to. If you know that "password" will always
result in the SHA-1 hash
"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8," all you have to do is
look for the latter in a list of password hashes to know that
"password" is there.

Every security expert, and every hacker, knows this. That's why
hackers keep long lists of pre-computed hashes of common
passwords, and why security experts who take their jobs seriously
make the extra effort to salt password hashes, dropping extra
bits of data into the hash algorithms.

It's also why you should use long passwords comprised of letters,
numbers and punctuation marks, because such randomization is
unlikely to appear in a pre-computed hash list, and nearly
impossible to reverse.

With salting, "password" doesn't always result in
"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8." Instead, it's a
different 40-character string — every time.

Any hacker who'd gotten a list of LinkedIn or eHarmony passwords
with salted hashes would have found it very difficult to match
the hashes to any particular password hash on his pre-computed
list.

LinkedIn and eHarmony should have bothered to take the extra step
of salting their password hashes years ago.

If they'd done so, millions of people wouldn't be changing their
passwords today and worrying about whether their LinkedIn and
eHarmony accounts — and any other account with the same usernames
and passwords — had been compromised.